hacktricks/linux-hardening/privilege-escalation/logstash.md



{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
{% endhint %}
{% endhint %}
{% endhint %}
{% endhint %}


## Logstash

Logstash is used to **gather, transform, and dispatch logs** through a system known as **pipelines**. These pipelines are made up of **input**, **filter**, and **output** stages. An interesting aspect arises when Logstash operates on a compromised machine.

### Pipeline Configuration

Pipelines are configured in the file **/etc/logstash/pipelines.yml**, which lists the locations of the pipeline configurations:

```yaml
# Define your pipelines here. Multiple pipelines can be defined.
# For details on multiple pipelines, refer to the documentation:
# https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html

- pipeline.id: main
  path.config: "/etc/logstash/conf.d/*.conf"
- pipeline.id: example
  path.config: "/usr/share/logstash/pipeline/1*.conf"
  pipeline.workers: 6
```

This file reveals where the **.conf** files, containing pipeline configurations, are located. When employing an **Elasticsearch output module**, it's common for **pipelines** to include **Elasticsearch credentials**, which often possess extensive privileges due to Logstash's need to write data to Elasticsearch. Wildcards in configuration paths allow Logstash to execute all matching pipelines in the designated directory.

### Privilege Escalation via Writable Pipelines

To attempt privilege escalation, first identify the user under which the Logstash service is running, typically the **logstash** user. Ensure you meet **one** of these criteria:

- Possess **write access** to a pipeline **.conf** file **or**
- The **/etc/logstash/pipelines.yml** file uses a wildcard, and you can write to the target folder

Additionally, **one** of these conditions must be fulfilled:

- Capability to restart the Logstash service **or**
- The **/etc/logstash/logstash.yml** file has **config.reload.automatic: true** set

Given a wildcard in the configuration, creating a file that matches this wildcard allows for command execution. For instance:

```bash
input {
  exec {
    command => "whoami"
    interval => 120
  }
}

output {
  file {
    path => "/tmp/output.log"
    codec => rubydebug
  }
}
```

Here, **interval** determines the execution frequency in seconds. In the given example, the **whoami** command runs every 120 seconds, with its output directed to **/tmp/output.log**.

With **config.reload.automatic: true** in **/etc/logstash/logstash.yml**, Logstash will automatically detect and apply new or modified pipeline configurations without needing a restart. If there's no wildcard, modifications can still be made to existing configurations, but caution is advised to avoid disruptions.


## References
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
</details>
{% endhint %}
</details>
{% endhint %}
</details>
{% endhint %}
</details>
{% endhint %}
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

a 2024-07-18 23:15:55 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-18 23:15:55 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-18 23:15:55 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-18 23:15:55 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
a 2024-07-18 23:15:55 +00:00			`{% endhint %}`
			`{% endhint %}`
			`{% endhint %}`
			`{% endhint %}`
			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

a 2024-02-07 04:06:18 +00:00			`## Logstash`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00
a 2024-02-07 04:06:18 +00:00			`Logstash is used to gather, transform, and dispatch logs through a system known as pipelines. These pipelines are made up of input, filter, and output stages. An interesting aspect arises when Logstash operates on a compromised machine.`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00
a 2024-02-07 04:06:18 +00:00			`### Pipeline Configuration`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00
a 2024-02-07 04:06:18 +00:00			`Pipelines are configured in the file /etc/logstash/pipelines.yml, which lists the locations of the pipeline configurations:`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00
a 2024-02-07 04:06:18 +00:00			```yaml
			`# Define your pipelines here. Multiple pipelines can be defined.`
			`# For details on multiple pipelines, refer to the documentation:`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00			`# https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html`

			`- pipeline.id: main`
			`path.config: "/etc/logstash/conf.d/*.conf"`
			`- pipeline.id: example`
			`path.config: "/usr/share/logstash/pipeline/1*.conf"`
			`pipeline.workers: 6`
			```

a 2024-02-07 04:06:18 +00:00			`This file reveals where the .conf files, containing pipeline configurations, are located. When employing an Elasticsearch output module, it's common for pipelines to include Elasticsearch credentials, which often possess extensive privileges due to Logstash's need to write data to Elasticsearch. Wildcards in configuration paths allow Logstash to execute all matching pipelines in the designated directory.`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00
a 2024-02-07 04:06:18 +00:00			`### Privilege Escalation via Writable Pipelines`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00
a 2024-02-07 04:06:18 +00:00			`To attempt privilege escalation, first identify the user under which the Logstash service is running, typically the logstash user. Ensure you meet one of these criteria:`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00
a 2024-02-07 04:06:18 +00:00			`- Possess write access to a pipeline .conf file or`
			`- The /etc/logstash/pipelines.yml file uses a wildcard, and you can write to the target folder`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00
a 2024-02-07 04:06:18 +00:00			`Additionally, one of these conditions must be fulfilled:`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00
a 2024-02-07 04:06:18 +00:00			`- Capability to restart the Logstash service or`
			`- The /etc/logstash/logstash.yml file has config.reload.automatic: true set`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00
a 2024-02-07 04:06:18 +00:00			`Given a wildcard in the configuration, creating a file that matches this wildcard allows for command execution. For instance:`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00
			```bash
			`input {`
			`exec {`
			`command => "whoami"`
			`interval => 120`
			`}`
			`}`

			`output {`
			`file {`
			`path => "/tmp/output.log"`
			`codec => rubydebug`
			`}`
			`}`
			```

a 2024-02-07 04:06:18 +00:00			`Here, interval determines the execution frequency in seconds. In the given example, the whoami command runs every 120 seconds, with its output directed to /tmp/output.log.`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00
a 2024-02-07 04:06:18 +00:00			`With config.reload.automatic: true in /etc/logstash/logstash.yml, Logstash will automatically detect and apply new or modified pipeline configurations without needing a restart. If there's no wildcard, modifications can still be made to existing configurations, but caution is advised to avoid disruptions.`
GitBook: [master] 4 pages modified 2021-01-28 13:40:17 +00:00

a 2024-02-08 03:06:37 +00:00			`## References`
a 2024-07-18 23:15:55 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

a 2024-07-18 23:15:55 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-18 23:15:55 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
a 2024-07-18 23:15:55 +00:00			`{% endhint %}`
			`</details>`
			`{% endhint %}`
			`</details>`
			`{% endhint %}`
			`</details>`
			`{% endhint %}`
			`</details>`
			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00